System and method for secure mobile connectivity

ABSTRACT

The present invention discloses a methods and systems for securely connecting mobile nodes to an internal private network using IPsec based Virtual Private Network (VPN) technology. The system employs a proxy home agent (PHA) coupled to a home network associated with a mobile node that is located within a secure network, a home agent (HA) that is located outside of the secure network, and a VPN gateway to provide VPN services to a mobile device that changes its current address during the VPN session. The HA and PHA are configured to provide Mobile IP Home Agent functionality through a distributed system.

FIELD OF THE INVENTION

[0001] This invention relates to network communications systems ingeneral, and more particularly, to methods and systems for securelyconnecting mobile nodes to an internal private network using IPsec basedVirtual Private Network (VPN) technology.

BACKGROUND OF THE INVENTION

[0002] The family of Internet Protocols (IP) are the backbone of modernnetworking and maintaining interoperability with these standards ensuresthe broadest possible application of a given technology. IP is alsoadaptable and has been extended to provide additional functionality.

[0003] Of particular relevance, IP mobility provides a protocol formaintaining an IP session with a mobile device whose actual networkconnection and IP address might be hoping among different physicalnetworks as the mobile device moves. The protocol defines a system toprovide for the routing of a mobile device's data to the currentlocation of the device. This is accomplished through the use of a HomeAgent that monitors the permanent IP address and current location of themobile device. The Home Agent essentially allows the mobile device tohave a permanent address that is translated by the Home Agent into themobile device's current address. This is accomplished through a processcalled tunneling. Tunneling refers to a process where new “to” and“from” information is added to the front of a packet to reroute it to agiven location. Of course, the implementation of IP mobility requiresadditional overhead. This includes the extra data attached to thepackets and the need to keep a record of the mobile device's currentlocation.

[0004] Also of interest, IP security (IPsec) defines a protocol thatenables the creation of Virtual Private Networks (VPNs) to ensure thesecurity of transmitted information packets. A VPN gateway creates atunnel secured by authentication and encryption that can be keyed fromcredentials provided by an authority entity, such as a key distributoror a public key infrastructure. IPsec VPNs rely on the IP address of theparticipating entities to create the described tunnel.

[0005] IP protocols are regularly used to create private networks. Atypical secure network connects to outside resources, such as the publicInternet, through a “demilitarized zone.” The secure network representsa localized LAN or WAN that operates apart from the publicly accessibleInternet. A classic example would be an internal corporate network. Ofcourse, users of the secure network would like access to the resourcesof the Internet at large. The secure network uses a firewall to maintainits security while allowing access to external resources. The firewallscreens traffic passing between the secure network and the Internet toprevent unauthorized access or security breaches.

[0006] A corporation would also like to make certain informationpublicly available to the users of the Internet, e.g. the corporation'sweb site. To maintain security of the internal network this informationtypically resides on servers outside the secure network's firewall in aDMZ. The DMZ is the only portion of the corporate network that is“visible,” i.e. accessible, to outside users.

[0007] It is also advantageous to allow an Intranet's authorized usersto access the secure network when they are not physically connected toit. However, the most efficient way for a user to establish a connectionis by using the public Internet infrastructure. This would, for example,allow a user to work from home and access files residing on the securenetwork. This, of course, creates a security problem because it allowsinformation from the secure network to travel over the public Internetwhere it is potentially accessible to others. The VPN authenticates theexternal user and secures information traveling to and from the securenetwork.

[0008] The IPsec VPN's reliance on the external user's IP address,however, makes it unsuitable for direct use in a mobile environment.Mobile devices using the IP mobility standard change their IP address asthey move from one network to another. This could potentially happenmany times during a relatively short time period. Using a traditionalVPN the user would have to re-authenticate and re-establish its secureconnection after each of these transitions. This result is cumbersome tothe point of being unworkable.

SUMMARY OF THE INVENTION

[0009] The present invention is directed at providing systems andmethods for combining the IP mobility and VPN into an efficient systemfor providing secure connections to an internal network from an externalmobile node. It accomplishes this without modifying the underlyingprotocols which are used. The system allows a great deal of flexibilityin the placement of the network elements disclosed. Embodiments of thepresent invention can accomplish their goals without the need to changeexisting network elements. This is particularly advantageous because itallows a user to provide additional functionality without discarding andreplacing currently useful equipment.

[0010] According to one aspect, the system and method utilize a homeagent (HA) that registers the external mobile device, monitors itscurrent location and directs data intended for the mobile device to itscurrent location. The system also provides a proxy home agent (PHA) thatreceives transmissions sent to the mobile node inside the secure networkand forwards the received data to a VPN gateway for secure transmissionto the mobile node. The VPN gateway performs IPsec encapsulation of dataen route to the mobile node and transfers that encapsulated data to thehome agent for final delivery.

[0011] According to another aspect, the Security Association (SA) statemaintenance is limited to a single location.

[0012] According to another aspect of the invention, minimal signalingis used such that the proxy entries in the PHA are updated by the HAusing a mutual static security association. The signaling does notcontain all of the Mobile Node signaling. Instead it includes only themessages used to maintain the proxy ARP cache entries.

[0013] According to another aspect of the invention, the VPN gateway andthe HA are located within a single device within a DMZ.

[0014] According to a further aspect, the HA is a separate device fromthe VPN gateway.

[0015] According to yet another aspect, the HA is located within thefirewall.

BRIEF DESCRIPTION OF THE DRAWINGS

[0016]FIG. 1A shows a topology of the home agent module co-located withthe VPN gateway;

[0017]FIG. 1B illustrates data packet flow from the CN to the MN;

[0018]FIG. 1C illustrates data packet flow from the MN to the CN;

[0019]FIG. 2A shows a topology of the home agent module co-located witha firewall;

[0020]FIG. 2B illustrates data packet flow from the CN to the MN;

[0021]FIG. 2C illustrates data packet flow from the MN to the CN;

[0022]FIG. 3A shows a topology of the home agent module situated on thesame network as the VPN gateway;

[0023]FIG. 3B illustrates data packet flow from the CN to the MN;

[0024]FIG. 3C illustrates data packet flow from the MN to the CN; and

[0025]FIG. 4-8 show topologies for MIP/VPN/Firewall traversal; inaccordance with aspects of the invention.

DETAILED DESCRIPTION

[0026] In the following description of the various embodiments,reference is made to the accompanying drawings which form a part hereof,and in which are shown by way of illustration various embodiments inwhich the invention may be practiced. It is to be understood that otherembodiments may be utilized and structural and functional modificationsmay be made without departing from the scope of the present invention.

[0027] Throughout the specification and claims, the following terms takethe meanings explicitly associated herein, unless the context clearlydictates otherwise. The term “IP” means any type of Internet Protocol.The term “node” means a device that implements IP. The term “router”means a node that forwards IP packets not explicitly addressed toitself. The term “routable address” means an identifier for an interfacesuch that a packet is sent to the interface identified by that address.The term “link” means a communication facility or medium over whichnodes can communicate. The term DMZ refers to Demilitarised Zone—a partof network immediately outside a corporate network's firewall visible tothe outside. The term “HA” refers to Home Agent—a network element in amobile node's home address link defending the mobile node with ARP whilethe mobile node is roaming off-link. The term “Mobile Node” (MN) refersto a node that is configured to move away from its topologically correctaddress while communicating with other nodes still using that address.

[0028] The following abbreviations and terms are used throughout thespecification and claims: ACL: Access Control List; ARP: AddressResolution Protocol; IPv4: Internet Protocol Version 4; IPv6: InternetProtocol Version 6; L2: Layer 2—Link layer; L3: Layer 3—Network Layer;and NAT: Network Address Translation.

[0029] Referring to the drawings, like numbers indicate like partsthroughout the views. Additionally, a reference to the singular includesa reference to the plural unless otherwise stated or is inconsistentwith the disclosure herein.

[0030] The present invention is directed at combining the IP mobilityand IP security (IPsec) protocols to establish an efficient system forsecurely connecting mobile nodes to an internal network. The presentinvention can be implemented in IPv4, IPv6 or future versions of the IPprotocol. This combination is achieved through the use of a Home Agent(HA) and a Proxy Home Agent (PHA) to efficiently secure the session of afreely roaming mobile node. Foreign Agents (FAs) may or may not residein the Mobile nodes visited network without affecting the solution. Forpurposes of the discussion, the functionality of the FA is not modifiedso it is not discussed, herein.

[0031] A mobile node is embodied by hardware devices that can move aboutwhile being used. Examples of these devices include PDAs, mobilehandsets, tablet computers, etc. To practice the present invention aparticular mobile device typically contains hardware and softwareprogrammed to carry out the IP mobility and the IPsec protocols. Themobile node is assigned a permanent IP address to use on the securenetwork, e.g., its corporate Intranet. This address, however, is notaccessible to the mobile node when it roams beyond the confines of thesecure network and connects to other Internet networks. To obtain accessto the secure network the mobile node employs the IP mobility and IPsecprotocols to establish a secure connection to its home Intranet. Thisconnection is facilitated by the Home Agent and a Proxy Home Agent.

[0032] The Home Agent provides IP mobility connectivity for the securenetwork's mobile nodes. The Home Agent maintains an external IP addressthat is accessible to the public Internet. This provides an access pointthat enables a mobile node to establish an IP mobility connection. Inpractice, the Home Agent is embodied by software and/or hardware that isnetwork connected and implements an IP mobility protocol. Thisfunctionality can be provided, using standard design techniques, in astand alone hardware device or it can be integrated into networkingcomponents that provide other functionality. The Home Agent's IPmobility responsibilities include establishing a connection with themobile node, creating a security association with the mobile node, andmaintaining a record of the mobile node's current location. Other, andfurther functions of the Home Agent are described throughout thisspecification.

[0033] The Proxy Home Agent monitors a mobile node's permanent addresswhen the device leaves the secure network. The Home Agent notifies thePHA that a particular mobile node is connecting from outside the securenetwork. The PHA can then keep a list of these nodes and forward allincoming traffic sent to the node's internal permanent IP address. ThePHA is embodied by software and/or hardware to perform the abovedescribed function. Just as described with respect to the Home Agent,the PHA's functionality can be incorporated in a stand alone device orcombined with other networked devices. Other, and further, aspects ofthe PHA are described throughout this specification.

[0034]FIGS. 1A-1C show an embodiment of the invention, in accordancewith aspects of the present invention.

[0035]FIG. 1A shows a topology of the home agent module co-located withthe VPN gateway, in accordance with aspects of the invention. Mobilenode 5 is a mobile device belonging to a secure network, home network10, but currently connecting via public Internet 1. The functionality ofa conventional Mobile IP home agent is divided into two parts: the ProxyHome Agent and the Home Agent. The signaling and tunnelingfunctionalities of a conventional Mobile-IP home agent reside on the HA.PHA 15 is configured to include the proxying functionality typicallyfound in a Mobile IP HA. Proxy Home Agent (PHA) 15 is coupled to homenetwork 10 and is within a secure network. According to one embodiment,a separate PHA is coupled to each home network located within the securenetwork and a single HA is used for each secure network. For example,referring to the figure PHA 16 is coupled to home network 2. Therefore,there may be multiple PHA's for a secure network but only one HA for thesecure network. Other devices also reside within the secure network andcommunicate with each other over the network. Correspondent node 18represents an arbitrary network member that mobile node 5 iscommunicating with. CN 18 may be coupled to any network. For example, CN18 may be coupled to Internet 1, Corporate Network 60, Home Network 10,or home network 2. Firewall 30 represents a device that bridges theIntranet and external entities. Firewall 30 can be embodied by any knownhardware and/or software used to create firewalls. DMZ 20 representsnetworking infrastructure maintained by the owners of the securenetwork, but publicly accessible, i.e. visible, over the Internet. Asshown, Firewall 30 connects DMZ 20 and the secure network to only allowauthorized communications into the Corporate Network's secureenvironment. Home network 10 and home network 2 is associated withcorporate network 60. VPNgw/HA 55 resides in DMZ 20 and providesexternally accessible connections for the mobile node. VPNgw/HA 55 is asingle device that performs both IP mobility and IPsec VPN gatewayfunctions.

[0036] The functions preformed in the various elements are bestdescribed through reference to the packet state diagrams depicted inFIGS. 1B and 1C.

[0037]FIG. 1B illustrates data packet flow from the CN to the MN, inaccordance with aspects of the invention.

[0038] Original packet 200 represents the actual IP packet sent by acorrespondent node to the mobile node. The original packet has a headercontaining the correspondent node's address (CN), the permanent addressof the mobile node (MNperm) and the transmitted data. The CN sends thedata to the mobile node's permanent address. As discussed above, the CNmay be located anywhere. For example, the CN can be inside the CorporateNetwork or even in the Internet. When the CN sends a packet to the MN,it is received on the MN's home network by the PHA on behalf of the MN.

[0039] Proxy Home Agent 15 monitors the network to help ensure that allpackets are delivered to the associated mobile nodes. As shown in FIG.1A, mobile node 5 is coupled to the Internet, and PHA 15 monitors thenetwork for packets destined to the mobile node. One of the duties ofthe Home Agent is to send data to the PHA indicating that a particularmobile node is currently connecting from outside the Intranet. Accordingto one embodiment, the communication between the PHA and the HA issecured via static security association. This information is used tocreate a list on the PHA indicating what mobile IP addresses to monitorto forward off the secure network. Accordingly, the PHA will accept theoriginal packet 200, sent by the correspondent node, in place of themobile node.

[0040] The PHA then sends the original packet 200 to the VPN/HA. Thepacket from the PHA to the VPN gateway is IP-in-IP encapsulated. Asshown, PHA packet 210 simply acts as a tunnel with the original packetencapsulated in address routing information indicating VPNigw as thedestination and PHA as the origin. VPNigw represents an address that isdirectly connected from the secure network into the VPN/HA and onlycarries secure traffic internal to the secure network.

[0041] The VPN/HA's receipt of a packet from the PHA on the VPNigwidentifies the packet as an out-going packet being securely sent to amobile node. First, the VPN gateway functionality of the VPN/HA stripsthe header added by the PHA. The VPN gateway then performs IPsecencryption to create VPN packet 220. The details of this procedure aredescribed by the IPsec protocol. The VPN session established is createdbetween the VPN gateway and the permanent address of the mobile node 5.The permanent address does not change. Therefore, the session is notaffected by the mobile node's changing its current IP address as theuser moves about. As can be seen, the VPN packet contains the entireoriginal packet, albeit in encrypted form, an ESP field that containsinformation regarding the security used, and routing information to thepermanent address of the mobile node from the VPN. These packets are notready to be transmitted to the mobile node because they are addressed tothe mobile node's permanent address not its current address.

[0042] The Home Agent functionality of the VPN/HA establishes the IPmobility tunnel to the current address of the mobile device. Thus, theVPN packet is handed off to the Home Agent. Note that the embodimentshown in FIGS. 1A-1C describes a HA and VPN that are co-located in asingle device. Accordingly, the transfer of data between them does notrequire an IP transmission. The HA connects to the mobile device andestablish an IP mobility session. This step is accomplished according tothe standards set by the IP mobility protocol. As the mobile node movesand changes its IP address it updates the HA according to the IPmobility protocol. The tunneling is accomplished by appending newrouting information to the VPN packets to create HA packet 230.Reference to the figures shows that the current address of the mobilenode is represented by its care-of-address (CoA), this follows theconventions defined by the IP mobility protocol. The return address isthe public address of the HA. With the appropriate CoA routinginformation the HA packets are transmitted to the mobile device.

[0043] The process is completed by the mobile node upon receipt of theHA packets. The mobile node strips the HA routing information off thepackets, through IP mobility decapsulation. This creates M_VPN packet240 that is identical to the VPN packet. Next, the mobile node performsdecryption according to the IPsec protocol to obtain a M_Original packet250 that is identical to the original packet.

[0044]FIG. 1C illustrates data packet flow from the MN to the CN, inaccordance with aspects of the invention. Original Packet 201 isanalogous to the original packet in the previous example, except theaddress information is reversed because the packet is traveling in theopposite direction. After creating original packet 201 the mobile nodeperforms IPsec encryption and addressed the encrypted VPN packet 211 tothe VPN. Again, the contents are analogous to the contents of the VPNpacket from the previous example.

[0045] The mobile node, however, cannot send this packet directly to theVPN gateway because it is roaming and must communicate using the IPmobility protocol. A reason for this is that the mobile nodes VPNsession is established using the mobile nodes permanent address, so thisaddress must be the return address of the packet received by the VPNgateway. The mobile node, therefore, performs a reverse mobilitytunneling procedure between itself and the HA, thereby creating HApacket 231. Just as in the previous example, it is the HA packet that isactually transmitted over the Internet.

[0046] Upon receipt of the HA packet the Home Agent removes the IPmobility tunneling header to create I_VPN packet 241, which is sent tothe VPN gateway. The IPsec functionality decrypts and reveals I_Originalpacket 251. The original packet can then be forwarded to its finaldestination at the correspondent node (CN).

[0047]FIGS. 2A-2C disclose another embodiment of the present invention,in accordance with aspects of the invention. In this embodiment the HomeAgent is co-located in the same device as the firewall, Firewall/HA 35,rather than being located with the VPN gateway as in the previousembodiment. The overall operation of the FIG. 2 embodiment is similar tothe FIG. 1 embodiment. For example, PHA 15 performs the same function ofmonitoring the Intranet and forwarding packets destined for the mobilenode 5 when it is away from the Intranet. Similarly, HA component ofFirewall/HA 35 establishes the mobile IP connection with the travelingmobile node. While VPN gateway 50 maintains a secure connection.

[0048]FIG. 2B illustrates data packet flow from the CN to the MN, inaccordance with aspects of the invention. The different topologyslightly alters the packet manipulations to transmit packets from the CNto the MN. The first three steps are identical to the descriptionprovided for FIG. 1B. Original packet 200 is generated by thecorrespondent node; it is picked up by the PHA which creates the PHApacket 210; the PHA packet is forwarded to the VPN gateway whichencrypts the packet to create the VPN packet 220. The next step differssince the VPN gateway and HA are no longer co-located, therefore,network routing is performed to transfer the packet to the HA. This isaccomplished by creating VPN-HA packet 225, by adding routinginformation to the VPN packet. This packet is now suitable fortransmission to the HA. The HA receives the VPN-HA packet and strips therouting information. The remaining three steps are identical to the lastthree steps described in FIG. 1B. The HA creates HA packet 230 to tunnelthe information to the mobile node; the mobile node strips the tunnelinformation to create M_VPN packet 240; and the VPN packet is decryptedto retrieve M_Original packet 250.

[0049]FIG. 2C illustrates data packet flow from the MN to the CN, inaccordance with aspects of the invention. The packet states for thisprocess are identical to those described with respect to FIG. 1C,however, the process is slightly different. The functions performed bythe mobile node are identical. Original packet 201 is created; it isencrypted according to IPsec to create VPN packet 221; and, reversetunneling adds new routing information and creates the HA packet 231.Just as in the FIG. 1C example, the HA packets are sent to the HomeAgent where the tunneling information is removed to reveal the I_VPNpacket 241. This packet is then forwarded to the VPN gateway. This stepis different, although only slightly, from the FIG. 1C example since thetransmission from the HA to the VPN gateway is a network transmissionsince the VPN gateway and HA are now in separate devices. The VPNgateway receives the packets, decrypts them and passes the originalI_Original packet 251 to the correspondent node.

[0050]FIGS. 3A-3C disclose another embodiment of the present invention,in accordance with aspects of the invention.

[0051]FIG. 3A shows a topology of the home agent module situated on thesame network as the VPN gateway, in accordance with aspects of theinvention.

[0052] An advantage of this embodiment is that the Home Agent is a standalone device residing in the DMZ. Since the HA in this embodiment is aseparate device it can easily be integrated into an existing network'sestablished infrastructure. The HA and PHA can be implemented onseparate boxes without modifying other parts, such as the VPN gateway orFirewall.

[0053]FIG. 3B illustrates data packet flow from the CN to the MN, inaccordance with aspects of the invention. Original packet 200 isgenerated by the correspondent node; it is picked up by the PHA whichcreates the PHA packet 210; the PHA packet is forwarded to the VPNgateway which encrypts the packet to create the VPN packet 220. Networkrouting is performed to transfer the packet to the HA. This isaccomplished by creating VPN-HA packet 225, by adding routinginformation to the VPN packet. This packet is now suitable fortransmission to the HA. The HA receives the VPN-HA packet and strips therouting information. The HA creates HA packet 230 to tunnel theinformation to the mobile node; the mobile node strips the tunnelinformation to create M_VPN packet 240; and the VPN packet is decryptedto retrieve M_Original packet 250.

[0054]FIG. 3C illustrates data packet flow from the MN to the CN, inaccordance with aspects of the invention. Original packet 201 iscreated; it is encrypted according to IPsec to create VPN packet 221;and, reverse tunneling adds new routing information and creates the HApacket 231. The HA packets are sent to the Home Agent where thetunneling information is removed to reveal the I_VPN packet 241. Thispacket is then forwarded to the VPN gateway. The transmission from theHA to the VPN gateway is a network transmission since the VPN gatewayand HA are now in separate devices. The VPN gateway receives thepackets, decrypts them and passes the original I_Original packet 251 tothe correspondent node.

[0055] A potential problem might arise when transmitting data from theVPN gateway in the DMZ to a correspondent node located inside theCorporate Network. The VPN gateway might be classified as an externalelement, and if so, when it sends the original packet off to thecorrespondent node it must pass through the Firewall. The Firewall willsee a packet with an internal source IP address, i.e. the mobile nodespermanent address, arriving on its external interface. A properlyconfigured Firewall would normally drop, i.e. prohibit, such a packet.If it did not, a malicious Internet user could spoof packets with thatformat and disrupt the Intranet. Other embodiments described herein, aredirected at solving this problem.

[0056] In the last two embodiments described where the HA is a separatedevice, an assumption was made that the VPN gateway is capable ofestablishing an IP-in-IP tunnel between itself and the HA. This helps toensure that the encrypted packets can be forwarded to the HA for furthertransmission to the mobile node after adding routing informationaccording to the Mobile IP protocol. If the VPN gateway does not havethis capability, however, then there is an alternative way to accomplishthe same. This may be done by adding a static route on the VPN gatewaysuch that all packets destined to MNperm are sent to the HA. The HA canthen accept these packets by the use of proxy ARP entry.

[0057] This assumption was made since one of the advantages of thepresent invention is using the existing network elements without anychanges if the HA functionality is on a separate device. Therefore ifthe existing VPN gateway in a customer's network does not have thecapability of IP-in-IP tunneling then an alternate way to accomplish thesame is provided.

[0058]FIG. 4-8 show topologies for MIP/VPN/Firewall traversal; inaccordance with aspects of the invention. FIG. 4 shows an exemplarytopology for MIP/VPN/Firewall traversal; in accordance with aspects ofthe invention. Let us consider the scenario where the Home Agent is aseparate device that resides on the same network as the VPN gateway asshown in FIG. 4. This implies that the Mobile IPv4 tunnel between theHome Agent and the Mobile Node ends outside the firewall protectedcorporate network. If the correspondent node resides inside thecorporate network, the VPN gateway after decryption will forward thepacket inside the corporate network through the firewall. However, thefirewall, when it receives a packet that originated from a host insidethe security domain on an external interface, will drop the packet.Creating rules to allow packets with source addresses that belong to amobility network alone may be dangerous. This rule can be misused toattack the corporate network by spoofing packets. FIGS. 5-8 and therelated discussion present four possible topologies based on existingcorporate network infrastructure where the Home Agent can be placed. Foreach of these topologies configuration information is presented thatwill circumvent the firewall traversal problem. For purposes ofdiscussion, an assumption is made that all Mobile Nodes belong to onehome network and the address range is denoted as N. This address rangeis part of the corporation's internal address range. To be mobile, anode's IP address must be part of N.

[0059]FIG. 5 illustrates an exemplary topology for MIP/VPN/Firewalltraversal in accordance with aspects of the invention. In this topology,external firewall 92 is configured such that it drops all packets thathave source address that belongs to N. Additional checks are added tothe Home Agent so that packets that it receives must have been IPsecencapsulated. Internal firewall 95 has rules that allow packets from thenetwork N to go through the firewall. In this way only IPsecencapsulated packets from the Mobile node are allowed into the corporatenetwork. The external firewall will take care of dropping spoofedpackets.

[0060]FIG. 6 shows a block diagram demonstrating another embodiment forsolving the Firewall traversal problem. Once again, all mobile nodes inthe system are assigned a permanent address in a given range N. In thisembodiment router1 96 is added to the DMZ. Hackers can spoof packetswith source addresses that belong to the address range N and attack thecorporate network. Packets formatted this way will be sent directly tothe firewall through router1 (96). These packets will not be sent viathe VPN gateway or the Home Agent. Here an Access Control List(ACL)/firewall rule can be added to the firewall to allow packets withsource address that belongs to network N from VPN gateway's MAC alone.All data packets from the MN destined toward nodes inside the corporatenetwork will first go the Home Agent and then to the VPN gateway. It isfrom the VPN gateway that these packets are then forwarded through thefirewall to the inside. Packets from router R1 to the firewall withsource address in N will be dropped by the firewall. If the firewallallows only selected packets inside (based on MAC), then adenial-of-service type attack using source addresses from N can beprevented.

[0061]FIG. 7 shows an exemplary topology for MIP/VPN/Firewall traversalin accordance with aspects of the invention. Once again, all mobilenodes in the system are assigned a permanent address in a given range N.In this topology, router 72 is directly connected to the firewall. TheVPN gateway and the Home Agent connect to a different interface of therouter and firewall. The firewall is configured such that it considersthe interface with which it connects to the VPN gateway as internal.Packets with a source address that belongs to the address range Nreceived on this internal interface will not be dropped. By default, allpackets are sent to the firewall. All packets with source address thatbelong to N received by firewall on the external interface are dropped.All VPN encapsulated packets are forwarded to the VPN gateway. If aSecurity Association (SA) exists, the packet is decrypted and forwardedto the firewall on the internal interface. Otherwise the packet isdropped. All Mobile IPv4 and VPN encapsulated packets first reach theHome Agent. These are then forwarded to the VPN gateway and then to thecorporate network through the firewall's internal interface. The VPNgateway ensures that it receives only VPN encapsulated packets on theexternal interface. All other packets that it receives on the externalinterface are dropped.

[0062]FIG. 8 illustratres an exemplary topology for MIP/VPN/Firewalltraversal in accordance with aspects of the invention. This topology isvery similar to the topology illustrated in FIG. 5, except that theexternal firewall is not present. To facilitate the firewall to allowpackets from the Mobile Nodes to reach destinations inside the corporatenetwork, a rule is added to allow such packets to pass through. Toprevent spoofed packets from entering into the corporate network, AccessControl Lists (ACLs) are created on the router to drop packets that havesource address that belong the address range N. This prevents spoofedpackets from reaching the VPN gateway or the Home Agent and hence thefirewall. Since packets that are spoofed have been already filtered bythe router, the firewall can safely allow packets from the address rangeN inside.

[0063] The many features and advantages of the present invention areapparent from the detailed specification, and thus, it is intended bythe appended claims to cover all such features and advantages of theinvention which fall within the true spirit and scope of the invention.

[0064] Furthermore, since numerous modifications and variations willreadily occur to those skilled in the art, it is not desired that thepresent invention be limited to the exact instruction and operationillustrated and described herein. Accordingly, all suitablemodifications and equivalents that may be resorted to are intended tofall within the scope of the claims.

What is claimed is:
 1. A system for providing secure mobile connectivitythat implements Mobile IP Home Agent functionality via distributedcomponents, comprising: a mobile node belonging to a home networklocated within a secure network; the mobile node having a networkinterface configured to communicate with other nodes; a routerconfigured to forward packets between networks; a Proxy Home Agent (PHA)connected to the home network and located within the secure network thatis configured to provide a portion of the Mobile IP Home Agentfunctionality; a Home Agent (HA) located outside of the secure networkthat is configured to provide another portion of the Mobile IP HomeAgent functionality; and a VPN gateway coupled to the router and thesecure network and configured to work in conjunction with the PHA andthe HA.
 2. The system of claim 1, wherein the VPN gateway and the HA arelocated within a single device within a DMZ.
 3. The system of claim 1,further comprising a firewall coupled to the secure network and the VPNgateway; wherein the HA is located within the firewall.
 4. The system ofclaim 1, wherein the HA is a separate device from the VPN gateway. 5.The system according to claim 1, further comprising: a DMZ locatedoutside the secure network, wherein the VPN gateway and the HA reside inthe DMZ; a first firewall between the secure network and the DMZ; asecond firewall between the DMZ and an external network configured todeny communications from the external network with a source address inthe known range; and wherein the mobile node has a permanent address ina known range.
 6. The system according to claim 1, further comprising: aDMZ located outside the secure network, wherein the VPN gateway and thehome agent reside in the DMZ; a first firewall between the securenetwork and the DMZ; wherein the mobile node has a permanent address ina known range and the first firewall is programmed to deny allcommunications from the DMZ with a source address in the known range;and wherein the VPN gateway has a direct connection to an internalinterface of the first firewall such that the first firewall considersthe VPN gateway transmitted data as internal to the secure network. 7.The system of claim 1, further comprising a DMZ comprising a firstrouter coupled to a second router that is coupled to a firewall, the VPNgateway coupled to the first router and the firewall; the HA coupled tothe router.
 8. The system of claim 7, wherein packets from the MNdestined toward nodes inside the secure network first go the HA and thento the VPN gateway that is configured to forward the packets through thefirewall to the secure network.
 9. The system of claim 8, whereinpackets from the second router to the firewall having a source addressin a known range are dropped by the firewall.
 10. The system accordingto claim 1, wherein the router is directly connected to a firewall andthe VPN gateway and the HA connect to a different interface of therouter and the firewall.
 11. The system of claim 10, wherein thefirewall is configured such that it considers the interface with whichit connects to the VPN gateway as an internal interface and packets witha source address that are outside of a known address range received onthe internal interface are dropped, and packets with a source addressthat are within the known address range that are received by thefirewall on an external interface are dropped.
 12. The system of claim11, wherein VPN encapsulated packets are forwarded to the VPN gatewayand when a Security Association (SA) exists, the packet is decrypted andforwarded to the firewall on the internal interface and when a SA doesnot exist the packet is dropped.
 13. The system of claim 12, whereinMobile IP packets and VPN encapsulated packets first reach the HomeAgent which are forwarded to the VPN gateway and then to the securenetwork through the firewall's internal interface.
 14. The system ofclaim 1, further comprising a firewall coupled to the secure network andthe VPN gateway; wherein the router includes an access control list usedto drop packets that have a source address that belong to a knownaddress range.
 15. A method for secure communication between a mobilenode associated with a home network in a secure network and acorrespondent node; comprising: establishing a Proxy Home Agent (PHA)located within the secure network to monitor data directed to the mobilenode; establishing a Home Agent configured to create a securityassociation with the mobile node; collecting data directed to the mobilenode; packaging the collected data in a VPN secure tunnel to an internaladdress of the mobile node to create VPN packaged data; and tunnelingthe VPN packaged data to a current address of the mobile node.
 16. Themethod of claim 15, wherein the VPN secure tunnel follows the IPsecurity protocol.
 17. The method of claim 15, wherein the tunneling ofthe VPN packaged data to the external mobile node occurs according tothe IP mobility protocol.
 18. The method of claim 15, furthercomprising: packaging the collected data in an IP-in-IP tunnel andsending it to a VPN device for VPN encryption and tunneling the VPNpackaged data to the current address of the Mobile node.
 19. A systemfor secure mobile connectivity that implements Mobile IP Home Agentfunctionality via distributed components; comprising: means forestablishing a Proxy Home Agent (PHA) located within the secure networkto monitor data directed to the mobile node; means for establishing aHome Agent configured to create a security association with the mobilenode; means for collecting data directed to the mobile node; means forpackaging the collected data in a VPN secure tunnel to an internaladdress of the mobile node to create VPN packaged data; means fortunneling the VPN packaged data to a current address of the mobile node;means for the Home Agent to communicate to the PHA that the mobile nodehas moved outside its home network; and means for the Home Agent tocommunicate to the PHA that the mobile node has come back to its homenetwork; and means for enabling the PHA to create and remove a proxy ARPentry for a permanent address associated with the mobile node.